AccessDenied, Either scp or roles claim need to be present in the token

Question

Using this URI I am trying to generate access tokens

https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token

and the access tokens were successfully generated.

And I am passing client_id,client_secret,grant_type and scope.

When I tried to check https://jwt.io/#encoded-jwt I found that its an Invalid signature.

When I am trying to access this site by performing the following call

https://graph.microsoft.com/beta/sites/<tenant_id>/lists

using those access tokens I am getting the following error: "AccessDenied, Either scp or roles claim need to be present in the token."

{
    "error": {
        "code": "AccessDenied",
        "message": "Either scp or roles claim need to be present in the 
                    token.",
        "innerError": {
            "request-id": " ",
            "date": " "
        }
    }
}

In order to access the site and get the list in the format of application/json please suggest what should be included to get roles claim in the token?

grant_type- client_credentials , scope- https://graph.microsoft.com/.default — Divyashree R, Apr 22 '19 at 08:39
Then do you config the scope/permission in app register page ? — Nan Yu, Apr 22 '19 at 09:34
yes, I have configured permissions as Delegated Permissions - User.Read , Application Permissions - Sites.Read.All — Divyashree R, Apr 22 '19 at 11:12

Tony Ju · Accepted Answer · 2019-04-23T07:01:19.540

7

After configuring permissions, you need to click grant admin consent button.

You can check if the token has the permission by decoding the access token.

When I tried to check https://jwt.io/#encoded-jwt I found that its an Invalid signature.

You can change the ALGORITHM to HS256 to resolve this issue.

edited Apr 23 '19 at 07:01

answered Apr 23 '19 at 00:53

Tony Ju

14,891
3
17
31

I am not using Azure portal. I am using apps.dev.microsoft.com . – Divyashree R Apr 23 '19 at 06:44
@DivyashreeR You will no longer manage Azure AD applications there. It is recommended to manage your application on Azure portal. Just click go to the Azure portal link at the bottom of https://apps.dev.microsoft.com/#/appList – Tony Ju Apr 23 '19 at 06:50
@DivyashreeR I tested this just now. If we add permission via apps.dev.microsoft.com, we still need to click grant admin consent button on Azure portal. – Tony Ju Apr 23 '19 at 07:23
@DivyashreeR Do you have any other concerns regarding this question? – Tony Ju Apr 23 '19 at 10:02
We do not Admin consent as we are not having any UI for sign in and all api calls are happening in the backend to fetch the site data. I am varied if we are passing right parameters (grant_type- client_credentials , scope- graph.microsoft.com/.default). Or is it anything to deal with publisher domain in manifest file? – Divyashree R Apr 23 '19 at 10:30
@DivyashreeR Yes, but the application permission 'Sites.Read.All' also need the admin consent. It has nothing to do with the user login. I have tested this on my side. If I don't click admin consent, I will encounter the same error as yours. After clicking admin consent, it works. – Tony Ju Apr 23 '19 at 10:51

AccessDenied, Either scp or roles claim need to be present in the token

1 Answers1